Rule Library

Sigma Rules

7 rules found for "Julia Fomina"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

WindowsFile Event
TA0005 · Defense EvasionT1216 · System Script Proxy Execution
Julia Fomina+1Tue Oct 06windows
Detectionmediumtest

Code Execution via Pcwutl.dll

Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.

WindowsProcess Creation
TA0005 · Defense EvasionT1218.011 · Rundll32
Julia Fomina+1Mon Oct 05windows
Detectionmediumtest

Execute Code with Pester.bat

Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)

WindowsProcess Creation
TA0002 · ExecutionT1059.001 · PowerShellTA0005 · Defense EvasionT1216 · System Script Proxy Execution
Julia Fomina+1Thu Oct 08windows
Detectionmediumtest

DLL Execution via Rasautou.exe

Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.

WindowsProcess Creation
TA0005 · Defense EvasionT1218 · System Binary Proxy Execution
Julia Fomina+1Fri Oct 09windows
Detectionmediumtest

Capture Credentials with Rpcping.exe

Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.

WindowsProcess Creation
TA0006 · Credential AccessT1003 · OS Credential Dumping
Julia Fomina+1Fri Oct 09windows
Detectionmediumtest

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

WindowsProcess Creation
TA0005 · Defense EvasionT1216 · System Script Proxy Execution
Julia Fomina+1Tue Oct 06windows
Detectionmediumtest

Remote Code Execute via Winrm.vbs

Detects an attempt to execute code or create service on remote host via winrm.vbs.

WindowsProcess Creation
TA0005 · Defense EvasionT1216 · System Script Proxy Execution
Julia Fomina+1Wed Oct 07windows